Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
Lexbor is a web browser engine library. Prior to 2.7.0, the ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size variable between iterations. The statement ctx->buffer_used -= size with a stale size = 3 causes an integer underflow that wraps to SIZE_MAX. Afterwards, memcpy is called with a negative length, leading to an out‑of‑bounds read from the stack and an out‑of‑bounds write to the heap. The source data is partially controllable via the contents of the DOM tree. This vulnerability is fixed in 2.7.0.
AnalysisAI
The ISO-2022-JP encoder in Lexbor before version 2.7.0 contains an integer underflow vulnerability that allows unauthenticated remote attackers to read from stack memory and write to heap memory by crafting malicious DOM tree content. The flaw stems from a failure to reset a size variable between iterations, causing an out-of-bounds memcpy operation with a wrapped SIZE_MAX value. No patch is currently available for affected systems.
Technical ContextAI
Lexbor is a web browser engine library used for HTML/CSS parsing and rendering. The vulnerability stems from an integer underflow (CWE-191) in the ISO-2022-JP character encoding handler where a stale size variable (size=3) is not properly reset between encoding iterations. When ctx->buffer_used -= size is executed with this stale value, it causes an integer underflow that wraps to SIZE_MAX, subsequently triggering memcpy operations with invalid negative lengths that result in stack-based out-of-bounds reads and heap-based out-of-bounds writes.
RemediationAI
Upgrade Lexbor library to version 2.7.0 or later which contains the fix for this vulnerability. Applications using Lexbor should rebuild with the patched version. As a temporary mitigation, consider disabling or restricting processing of ISO-2022-JP encoded content if feasible in your environment, or implement input validation to sanitize DOM tree content before processing. Monitor for any vendor-specific security advisories if using products that embed Lexbor.
Same weakness CWE-191 – Integer Underflow
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12051